Clarity on certificates #fabric #hyperledger-fabric #fabric-questions


chanjaljayaram@...
 

Could anyone please clarify the below queries that I've around certificates and CAs in Hyperledger Fabric?

1) I see that Fabric doesn't support RSA certificates. Does this mean there shouldn't be an RSA certificate in the entire certificate chain? Can the Root CA be an RSA certificate?
2) If we have a single Certificate Authority issuing certificates to multiple Fabric networks (using NodeOU feature) does this mean that an organization in one of the Fabric networks can get access to other Fabric networks if they both are using the same CA and OU? Does this also mean that the recommendation is to go with separate Certificate Authorities for each Fabric network (which would mean that each organization would have to setup a exclusive and dedicated CA for each of the Fabric network that they are part of) ?


Yacov
 

1. You can use RSA in TLS, and you can use RSA root CAs for enrollment certificates (the certificates that sign transactions)
2. Yes! Because the client or node can present a certificate that is signed by CAs of bot networks.




From:        chanjaljayaram@...
To:        fabric@...
Date:        01/05/2021 06:53 PM
Subject:        [EXTERNAL] [Hyperledger Fabric] Clarity on certificates #fabric #hyperledger-fabric #fabric-questions
Sent by:        fabric@...




Could anyone please clarify the below queries that I've around...                                                                                                                                                                                      
This Message Is From an External Sender
This message came from outside your organization.




Could anyone please clarify the below queries that I've around certificates and CAs in Hyperledger Fabric?

1) I see that Fabric doesn't support RSA certificates. Does this mean there shouldn't be an RSA certificate in the entire certificate chain? Can the Root CA be an RSA certificate?
2) If we have a single Certificate Authority issuing certificates to multiple Fabric networks (using NodeOU feature) does this mean that an organization in one of the Fabric networks can get access to other Fabric networks if they both are using the same CA and OU? Does this also mean that the recommendation is to go with separate Certificate Authorities for each Fabric network (which would mean that each organization would have to setup a exclusive and dedicated CA for each of the Fabric network that they are part of) ?